Linux-Viruses: An Unpleasant Surprise or a Forecast That Came True?

12 Apr 2001Virus News

Guidelines for Enterprise Wide Linux Security

Predictions regarding a world epidemic of Linux-viruses have come true in the first quarter of 2001. The latest incidents caused by the Ramen Internet-worm and its numerous modifications, as well as the multi-platform virus Pelf (Lindose) and other Linux-targeted malicious code, have proved that this operating system, (previously considered as the most protected software), has fallen victim to computer viruses.

Why Linux?

Modern computer virology defines three main requirements for malicious code to exist within an operating system or application as follows:

The environment should be well documented. In order to create a virus, one should know as many details as possible about how the operating system works. Otherwise, creating a virus could be as difficult as making an aircraft without knowledge of the basic principles of aerodynamics.

Poor protection predicating the presence of known vulnerabilities in security systems and the ability for the creation of self-replicating and self-spreading objects.

The operating system or application should be widespread. Many years of anti-virus practice clearly show that virus writers are interested in creating malware only for a computing environment that is popular and therefore, their "products" can cause mass infection.

Until recently, Linux met all these aforementioned requirements except the last one. Today, Linux's popularity has reached the threshold where virus writers have switched from making the "traditional" malicious code for Windows and Microsoft Office to a new, very dynamically developing area of the computer industry - Linux.

Who's the victim?

Was the computer world ready to meet the new challenge of global computer security? We define the three main groups of corporate users, considering their level of readiness to combat against Linux-viruses:

Companies which have a clear, well-balanced enterprise-wide security policy that considers not only today's but also future threats to the normal operation of computer systems.

Companies having a clear, well-balanced enterprise-wide security policy that concentrates only on today's threats and ignores future danger.

Companies having no enterprise-wide security policy, using only sporadic, point-targeted security measures without considering future threats

Unfortunately, only the first group of users were prepared sufficiently to face the new security challenges, while the two other groups have fallen victim to the newly born Linux-viruses. Lack of an active, future oriented approach to computer protection and the neglecting of basic rules of information security were the main reasons for the Linux viruses appearing "in-the-wild" and causing mass infections around the world.

Today, we cannot imagine anyone questioning the absolute necessity of every single Linux based file or application server having anti-virus software installed. This anti-virus software prevents the transfer of malicious code to the operating systems causing devastation to other segments of the corporate network.

A most disturbing aspect is the fact that the vast majority of Linux-based workstations are not equipped with adequate virus-protection systems. Many users still rely only on the clear user access right regulation that can prevent malicious code from spreading out of the current user account. However, viruses can still destroy important data and exploit security breaches in order to capture the root privileges and gain access rights to all Linux resources. In this case, the centralised server-based virus protection is not sufficient, because the unchecked data traffic (files received from the Internet, floppy disks, CDs and other removable storage devices, etc.) can overpass it.

The solution

One of Kaspersky Lab' main priorities is the long-term forecast of the possible ways in which malware may develop; we are always striving to provide our customers with the most reliable protection before a real virus epidemic strikes.

Analysis of modern trends in the field of operating systems has allowed our company to make rather bleak forecasts about future threats posed by Linux-specific malicious code and commence development of appropriate defence systems. As a result, in the first part of 1999 Kaspersky Lab introduced the world's first integrated anti-virus software for Linux.

Today, KasperskyTM Anti-Virus for Linux is the acknowledged leader in the field of virus protection and is considered to be the most technologically advanced software for Linux security. It includes the most comprehensive list of virus defence technologies:

an anti-virus scanner checking data storage on-demand;

anti-virus daemon for real-time data filtering and

an anti-virus monitor for the reliable interception for further virus checks of all files being used.

Kaspersky Anti-Virus for Linux can be used for the reliable protection of workstations and file and application servers, including Linux-based e-mail gateways such as Sendmail, Qmail and Postfix. The client part of the software is supplied in the open source code thus enabling a user to easily integrate the product into third-party Linux applications in order to perform user-specific tasks. Kaspersky Anti-Virus is compliant with any Linux distribution using the NSS library version 1.* (or compatible). The easy-to-use and intuitive user interface makes the program's installation, configuration and updating supremely convenient.

Thanks to the support of a wide range of Linux executable files (ELF, script files, etc) and Linux-specific file packing utilities (TAR, TGZ, etc.), Kaspersky Anti-Virus provides protection against all types of computer malware, including those specifically developed for Linux. In addition, the product is powered by a highly efficient technology combating even unknown Linux-viruses. The product has proved its reliability by successfully repelling the attacks of all modifications of the Ramen Internet-worm (such as "Lion" and "Adore") without any extra updates to the anti-virus database.

Kaspersky Lab also offers "Rescue Kit", a unique boot system that is designed to restore a computer to working order after it has been attacked by a virus and lost its booting ability. "Rescue Kit" creates a set of start-up diskettes based on the Linux principle and has a pre-installed copy of Kaspersky Anti-Virus for Linux. It allows for a "clean boot" and performs a comprehensive virus scanning of all the most popular file systems:

FAT (DOS)

FAT32 (Windows 95/98/ME)

NTFS (Windows NT/2000)

HPFS (OS/2)

EXT (Linux)

Today, Kaspersky Anti-Virus is one of the most wide-spread anti-virus software for Linux. It is used everyday by thousands of corporate users worldwide.

What's next?

Linux has become one of the major operating systems to run file and application servers within a networking environment. At the same time, it gathers popularity as a desktop standard, due to many companies installing Linux at the workplace of the average user. We forecast this could stimulate the development of Linux specific malware, due to:

In most cases, the end-users will not be able to properly install and configure the built-in security system, because it is too complex and requires special knowledge.

Virus writers could employ the so called "social engineering" method to penetrate the computers. Previously, this was used in such infamous Internet-worms as "LoveLetter" and "Anna Kournikova."

Another challenge to Linux security could be multipartite viruses i.e., viruses that are able to operate in several operating systems at the same time and successfully infect files of different formats. In this case, Linux users will be forced to check not only Linux files but all files regardless of the operating system they are designed for.

In general, we see the following common features of future Linux malware:

Exploitation of security breaches and vulnerabilities.

Use of technologies of mass distribution via e-mail and the Internet.

Use of background infection technology of all passing traffic at the server-level.

Use of unauthorised remote control utilities (backdoor).

5 rules for Linux corporate security

The only way to protect corporate networks against the new generation of Linux specific malicious programs is to implement and conduct a strict enterprise wide policy that includes the following points:

Regular tracking of recently discovered security breaches in the Linux operating system and Linux applications being used. To do this, we recommend that users subscribe to the security oriented mailing lists available at your Linux software vendors Web sites.

Immediate installation across the entire network of the latest updates and patches against recently discovered security breaches. In case patches are still not available, we recommend applying a temporary solution to neutralise an existing vulnerability.

Installation and regular updating of Linux specific anti-virus software on all Linux based stations within the corporate network, including workstations, file and application servers and e-mail gateways.